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Abstract 

It has been widely claimed and believed that many protocols in quantum key dis- 
tribution, especially the single-photon BB84 protocol, have been proved unconditionally 
secure at least in principle, for both asymptotic and finite protocols with realistic bit 
lengths. In this paper it is pointed out that the only known quantitative justification 
for such claims is based on incorrect assertions. The precise security requirements are 
described in terms of the attacker's sequence and bit error probabilities in estimating 
the key. The extent to which such requirements can be met from a proper trace distance 
criterion is established. The results show that the quantitative security levels obtainable 
in concrete protocols with ideal devices do not rule out drastic breach of security unless 
privacy amplification is more properly applied, while it is problematic whether a positive 
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net key can be generated from current approaches. 

In quantum key distribution (QKD), quantum effects that have no classical analog are 
utilized for generating a sequence of bits (the secrey key K) between two parties A and B 
that are known only to themselves. The typical approach involves information-disturbance 
tradeoff in BB84 type protocols [1], but other quantum approaches without using such a 
tradeoff is possible, say in KCQ (keyed communication in quantum noise) [2]. It has been 
claimed since long ago and maintained to this day [3] that BB84 has been proved to possess 
unconditional security (UCS), which is in fact the major advantage of QKD compared to 
other known ciphers. What does UCS mean exactly? 

In conventional classical key distribution such as the public key RSA scheme to which 
QKD is often compared to, security is based on computational complexity that it is compu- 
tationally difficult for an adversary E to compute the key though it is in principle possible. 
This means K does not possess information-theoretic security (ITS), that there is no intrin- 
sic probabilistic uncertainty to K. In this paper we assume the cryptosystem model is a 
complete representation of all the relevant physical attributes of the cryptographic situation, 
although the fact that it has not been in BB84 is a major loophole of concrete protocols [4]. 
Thus, UCS is to be discussed under the assumption that everything fits the ideal system 
model, as such a security claim is usually so understood in the literature. 

It is evident from the above description that UCS means no more than ITS for all possible 
uses of K, assuming the laws of quantum mechanics are universal. This in turn means UCS 
is a quantitative issue since it involves probability (as in fact quantum mechanics itself does) 
and so the numerical value of the probability of E's success in finding K gives one actual 
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(unconditional) security level of the QKD protocol. Indeed, E may want to identify only 
a portion of K, so her probabilities of finding various subsets K* of K are also important 
quantitative criteria associated with UCS. In addition, when K is used in one-time pad 
form (xor into the data bits), as often suggested for QKD to get true UCS instead of using 
K as the seedkey of a conventional cipher such as AES, the number of actual bit errors 
E makes in estimating K or its subsets from her attacks, to be called E's bit error rates 
(BER) in contrast to the above "sequence error probabilities" , would be relevant additional 
quantitative criteria for UCS. Such leak would be equivalent to a leak from a nonuniform a 
priori probability distribution on K. 

One more major distinction needs to be made, raw security versus KPA security [5]. 
E can try to estimate the above probabilities from just the probe she set and the public 
exchange before K is actually used. The quantitative results she so obtained give the raw 
security of K. When K is actually used, E may obtain further information and she could in 
principle make measurements on her probe after such information becomes available. The 
resulting probabilities determine the "composition security" of K. We restrict to a specific 
form of composition security that E could readily launch in many applications, known- 
plaintext attacks (KPA). Indeed we would restrict to just KPA where a segment of K is 
known to E exactly, say from knowing some data bits and of course the ciphertext bits when 
K is used in one-time pad form. Such partial knowledge of K may help her determine the 
rest of K and hence the rest of the data segment she did not know. KPA security refers 
to these quantitative probabilities E may get. Note that ITS in raw security is obtained in 
conventional key expansion [5] from a shared secret key which is also needed in QKD for 
message authentication, but there is no IPS under known plaintext attacks. 
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The ideal UCS or ITS is obtained when E has a uniform probability U(k) for all the 
possible values of the n-bit generated key K and it is independent with whatever information 
E may possess. It would be good UCS if such a situation is obtained with a sufficiently high 
probability. This is precisely the claim that has been maintained in the QKD literature since 
[6,7] to the recent review in [3] and beyond. We will also show the other mathematically 
unspecific justifications of UCS in terms of "distinguishability advantage" is not applicable. 
Both of these justifications are given by a trace-distance criterion d. In this paper we will 
determine the extent d could provide quantitative UCS. 

Before proceeding, it may be noted that this issue lies at the heart of the whole security 
foundation of QKD, of exactly what security at what level with what empirical meaning 
one can obtain from QKD. In contrast to most issues in physics, this cannot be decided by 
an experiment and a careful conceptual and mathematical development is the only way to 
resolve it. 

Let K* be a subset of K from an arbitrary fixed subset of the n bit positions of K. Thus 
K* contains 1 to n bits and may take one of 2^*1 possible values. Let pi(K*) be E's optimal 
probability of estimating K* from her attack. The probability pi(K) is especially important 
because it is the probability of E successfully estimating the whole K. For raw security one 
needs to upper bound each pi(k*) to an acceptable level, say 

Pl (k*)<2-^+e' (I) 

for some e' that may depend on \K*\. This may happen only with a certain probability itself 
depending on the exact value of K* and other system parameters. It is usually only possible 
to usefully bound the average pi(K*) over the values of K*, which replaces the individual 
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value in the left side of jT]) . Such a bound can be converted to the form of (pQ) by application 
of Markov Inequality. 

Under KPA, E knows a subset X\ of the data X encrypted by K. In the one-time pad 
format E would then know a corresponding segment K\ = k\ of K which she could use to 
help her get other subsets K 2 of K 2 in the rest of K — k\ [JK 2 . For UCS one needs to 
bound, for small e" that may depend on \Ki\ and \K 2 \, 

p l (k* 2 \K l = k 1 )<2-^+e" (2) 

when a portion K\ of K is known to be ki and a subset K\ is to be estimated. Again, an 
average over K\ and K 2 may be needed to derive such bounds. Note that for a uniform key, 
([T]) would be satisfied with equality for e' = 0, and if it is independent of E's information, 
(|2]) would be similarly satisfied with e" = 0, thus giving perfect UCS. If such a situation can 
be obtained with high probability (from other random parameters in the system), then the 
protocol has perfect UCS with a high probability, which is exactly the current claim [3,6,7]. 

Note that the criteria of ([I])-® are the only operational meaningful security criteria 
that any other criterion in the form of an information theoretic quantity [8] must reduce to, 
including mutual information and variational distance. This should be clear if one asks the 
question: so what is the empirical or operational guarantee given the criterion is at a given 
level? 

The claim that K gives the above perfect UCS with a high probability is made on behalf 
of the trace distance criterion d defined as follows. During key generation E sets her probe 
and the protocol goes forward. After privacy amplification the final key K is generated with 
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corresponding "prior probability" p(k) and probe state p\ on each k. Let 

p = 5>(*)l*><*l (3) 
fc 

for N orthonormal |/c)'s in space %Ki N = 2 n . Let pe = J2kP(k)PEi Pke = J2kP(k) 1^) (^1® 
p E . The criterion d is defined to be 

d = \\\ Pke - Pu® Pe ||i (4) 

where pu is given by with p(k) = U(k) for the uniform random variable U. It can be 
readily shown (similar to Lemma 2 in [6]) that 

d = \\p( k )pE-jjPE ||i (5) 

k 

A key K with <i < e is called "e-secure" , as it has been forced by privacy amplification to be 
e-close to U . But what is the operational meaning of d < e? 

The major interpretation that has been given to d < e amounts to saying perfect UCS 
is obtained with a probability > 1 — e. In [6] it is explicitly stated "The real and the ideal 
setting can be considered identical with probability at least 1 — e." In [9,3] it is expressed 
with a different nuance with e understood as "maximum failure probability" of the protocol 
"where 'failure' means that 'something went wrong', e.g., that an adversary might have 
gained some information on K" . 

The justification of such erroneous interpretation of d is derived from the interpretation 
of Lemma 1 in [6] that the variational distance v(P,Q) between two distributions P and Q 
on the same sample space, the classical counterpart of trace distance, "can be interpreted 
as the probability that two random experiments described by P and Q, respectively, are 
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different." That this interpretation cannot be true in any situation has been discussed in 
[5,10]. Here we give a simple example to bring out why. 

Consider the distribution upon a measurement result with = for i E 1 — y and 
Pi = for i e (y + 1) — N, so that v(P, U) = e. Then E "gains information" compared 
to the ideal case with probability 1/2, not e. This example clearly shows that variational 
distance is not the maximum probability that information is leaked. 

Operational security significance for d can be derived, however, from the classical prop- 
erties of the variational distance between K and the uniform distribution U. Under d < e, 
condition ([[]) holds for the i^*-averaged pi(K*) with e' = e. We separate out the case for 
the whole K due to its crucial role 



Under KPA, it is not possible to have pi(i£J|lfi = ki) lower bounded by a small number 
because it can be arbitrarily close to 1 for any given K\ = k\. Such k 2 can occur with 
arbitrarily small but nonzero p(k) to satisfy any d < e constraint for nonzero e. The best 
one can hope for is a bound ([2]) when K\ itself is averaged over. This in fact holds under 
d < e where the K\ and averaged p x satisfies 



We outline here the proof of (7) which covers the raw security of no conditioning as a 
special case. Let Y be the measurement random variable of the relevant optimum quantum 
measurement E makes. One can write, 



p 1 (K)<- + e 



(6) 



p x {K* 2 \K x ) <2~\ K i\ + e 



(7) 
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where Ik*\ki is the optimal decision region on K\ given K\ = hi, irrespective of K' 2 . From 

equation (11.137) of [11] it follows that p(fcj;|yA;i) < p{kl\ki) + e y with ^^p{y)t y = e. 

y 

Extending the sum in yel k ^\ kx over all y leads to (7). 

Inequality (6) was previously given in [10], the full operational significance of d < e 
is given here in (7) for the first time. These sequence error probabilities constitute the 
appropriate criteria when K is used as the seed key in a conventional cipher such as AES. 
For the more commonly suggested use of K in one-time pad form, the bit error rate (BER) 
is also important because E may get many bits correctly even when she gets the whole K* 
wrong. This is the common distinction between sequence error rate and bit error rate in 
ordinary communications. BER is defined to be the per bit error probability, with N* = 2'^*', 

Pb = P b (K) = —J2 P ^ ( 8 ) 

1=1 

where P e (i) is the probability that the ith bit in K* is incorrectly obtained from Eve's 
estimate of K*. Here we summarize the BER result in [11]. 

The only known general lower bound on P b is the Fano Inequality [11], which gives in 
this case, with I ac being E's quantum accessible information, 

nU{p b ) > H(K) - I ac (9) 

where %{•) is the binary entropy function and H(K*) the entropy of K*. The H(K) for K 
is determined by p(k) in (3). From d we can bound H(K) by [11, theorem 17.3.3] which 
yields, for p b = | — e' and small e', e' < (e/41oge) 1 / 2 . Since Markov Inequality needs to be 
used twice before this e' is applied, it is similar to the case of using it three times and the 
final e' in ([[]) is thus 

e' < &/2y/]oge (10) 
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As expected, the BER guarantee from (11) is worse than that of the corresponding sequence 
error probability. 

In contrast to the sequence error case, there is no result similar to(6)-(7) for subsets 
K* or K\ because there is no lower bound on H(K*) or H(K%\Ki) from d or H(K), and 
it is possible to have arbitrarily small but nonzero H(K*) especially when conditioned on 
K\ = k\. Thus, the result on BER is limited to E's attack on the whole K in raw security. 

There is an original argument [15] that purports to show d has general raw and com- 
position security from its mere form of (jlj), because the optimum binary quantum decision 
probability P c between two states p Q and pi with a priori probability P and Pi is given by 

Pc = \+\\PoPo-PlPl\\l (11) 

and the two terms in @ represent the real and the ideal situation, thus d provides a bound on 
the "distinguishability advantage" . However, E is not trying to distinguish the two situations 
by a binary decision, thus (4) and (12) give the wrong criterion in either raw or KPA security. 
The correct criteria are (l)-(2) in terms of E's probability of success in identifying various 
K*. Note also that (jlj) is itself a fictitious representation and in any case not available to E, 
or she could just measure on %k to get K. The form (J5J) for d is much less misleading than 
the entanglement form (j4]). Further discussion can be found in [10]. 

That "universal composable security" does not follow from (4) and (12) is especially clear 
in the case of BER where no bound on pb(K%\Ki) can apparently be derived from d < e, 
due to the very nonlinear relation between pt, and d already apparent in (10). To establish a 
security claim, one needs to write down mathematically what is being claimed and provide 
a derivation from given, in this case d < e. The incorrect "maximum failure probability" 
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interpretation of d gives such a derivation for raw and composition security, but it cannot 
be true. We have provided the correct security guarantee (6)- (7) and (10)-(11) from d < e, 
but they are far weaker than those from the incrorect interpretations [12]. 

The significant point in this correction is that E makes an iV-ary decision in estimating 
K, or an iV*-ary decision in estimating K* . From the viewpoint of a binary decision for (4) 
and (12) with Pq = ~, d = 2 -10 may appear sufficient. However, for an iV-ary decision with, 
say n — 1, 000, it follows from ((6]) that such a d value does not rule out a disastrous breach 
of security: that the whole 1,000 bits key may be obtained with a 0.1% probability. It is 
clear the problem is one needs to look at the quantitative security level with respect to a 
proper reference level. 

There is the persistent intuition that a criterion should be fine if the level is brought 
down to a sufficiently small value, assuming the value is zero in the ideal case. This is true 
if the value is exactly zero, but the whole question is how small is sufficiently small, or what 
the reference level is. It is a quantitative issue through and through, UCS does not imply 
security if its level is not good. In this connection, it may be pointed out that I ac has been 
used as the QKD security criterion from the beginning till some work to date. It has been 
largely abandoned in the theory literature because it does not rule out possible disastrous 
leaks from quantum information locking against KPA when E has quantum memory [13, 14]. 
Indeed, the incorrect interpretation of d was proposed [13] in place of [15] for exactly such 
problem. On the other hand, it can be shown [16] that if I ac is small enough such locking 
information cannot be utilized either. A good reference level for this with an n-bit key is 
d = 2- n . 

The raw security guarantee (6) from d [17] is totally inadequate for the analyzed finite 
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protocols with their numerical values of the parameters, as follows. The most up to date 
finite-key analysis of the single photon BB84 protocol with no loss and ideal devices [18] 
gives typical d levels of 1CT 9 for 5% QBER and 10% key rate, for n ~ 10 5 at the limit of 
present day error correcting code block length. After MAI is applied twice for K and privacy 
amplification averaging, the resulting individual probability guarantee with d^ is 10~ 3 . That 
is, it is not ruled out that Eve may have an estimate that has a probability of 0.001 of finding 
the whole 10,000 bit key, a disastrous breach of security. In such case, there is effectively 
only a 10 bit protection of the 10,000 bit key. The BER guarantee of (9)-(ll) shows E has 
Pb ~ 0.49 instead of 0.5 when attacking the whole K, which for n = 10 5 amounts to knowing 
1,000 bits more, considerably bigger than a favorable (to E) binomial fluctuation level of 
~ 200. In the NEC experimental decoy state system [19] the criterion I ac was used but a 
corresponding p±(K) is also given [20] consistent with the result of [2], with Pi(K) ~ 10~ 6 
for n ~ 4, 000. After a cube root to d this implies the probability guarantee is the way too 
large 1% with BER p b ~ 0.4 error probability. These results show that a much smaller d 
value needs to be guaranteed in privacy amplification. See [21]. 

In conclusion, we have specified the operational requirement of unconditional security in 
cryptography and determined the extent it can be satisfied by the trace distance criterion 
d < e. It is seen that the d values given in the literature for finite protocols are very far 
from ruling out possible drastic breach of security. In addition, the results point to a serious 
gap in the security proofs in connection with current treatments of error correction, and as 
a consequence no concrete full protocol has been proved secure even under just collective 
attacks [21]. It appears radically new elements need to be introduced to make QKD provably 
secure with meaningful levels of security and key rate. 
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